The present invention concerns a method and system for subscriber authentification and/or encryption of items of information for use in a mobile radiotelephone network.
In the article xe2x80x9cSafety First bei europaweiter Mobilkommunikation,xe2x80x9d telcom report 16 (1993), no. 6, pp. 326 to 329, a method and system is described for protecting subscriber data against unauthorized access and from misuse of items of personal subscriber information for mobile subscribers of a cellular digital mobile radiotelephone network according to the international GSM standard (Global System for Mobile Communication). The mobile subscribers, who can communicate across national borders in the networks of the various providers, thereby identify themselves to the respective network with a subscriber identity module, also called an SIM card, which is contained in the radiotelephone subscriber station. After receiving the SIM card, the mobile subscriber is registered in an authentification center, which respectively provides security parameters and security algorithms for protection of the subscriber data to the mobile subscribers. For this purpose, the authentification center is provided with a security box in which the security algorithms are implemented. In addition, there is also the familiar possibility of encrypting (ciphering) the items of information for the transmission.
Due to the high security relevance, the GSM security measures, in particular the security parameters and the security algorithms, are accessible only to the network operators who have agreed to the international mobile radiotelephone network standard in a common agreement (xe2x80x9cMemorandum of Understandingxe2x80x9d), and to infrastructure manufacturers. Thus, these security measures can be used only in mobile radio networks, and cannot be used in other networks, e.g. in private networks (corporate networks). An application between the GSM standard and another radiotelephone standard, e.g. the DECT standard (Digital Enhanced Cordless Telecommunication), or an application in a universal communication network (universal personal telecommunication, UPT) is not possible without problems, even if common agreements exist between a network operator of a GSM mobile radiotelephone network and another network operator concerning support of subscriber mobility (roaming) between the networks. There thus exist either agreements only between mobile radiotelephone networks that support the GSM standard, or networks of different radiocommunication standards are possible only through doubled subscriber entries in the subscriber databases of both networks, and thus different authentification methods.
It is an object of the present invention to provide a method and system for subscriber authentification and/or for encryption of items of information by which the security measures can also be applied, to the smallest possible outlay, in other networks respectively connected with the mobile radiotelephone network.
In general terms the present invention is a method for subscriber authentification and/or for encryption of items of information, in which mobile subscribers identify themselves to a mobile radiotelephone network with a subscriber identity module contained in a subscriber station and are installed in at least one subscriber database of the mobile radiotelephone network and are registered in an authentification center. The center respectively provides security parameters and security algorithms for the mobile subscribers, for the protection of the subscriber data. Subscribers of another network connected with the mobile radiotelephone network via an interface identify themselves with the subscriber identity module. They are set up in at least one subscriber database of the other network. The security parameters for the installed subscriber of the other network are requested via the interface, are provided by the authentification center of the mobile radiotelephone network and are transmitted to the other network via the interface, without the execution of a subscriber entry in the subscriber database of the mobile radiotelephone network. The subscriber authentification for the subscribers of the other network and/or the encryption of the items of information on the basis of the security parameters received from the mobile radiotelephone network are executed in this other network.
Advantageous developments of the present invention are as follows.
The authentification center that respectively provides the security parameters in the mobile radiotelephone network is determined by a subscriber identification that is read from the subscriber identity module by the subscriber station and is sent via the interface.
The security parameters received by the other network are entered into the subscriber database in addition to the subscriber data. The subscriber database is the home database of the subscribers registered in the other network.
Before additional sets of security parameters are made available, one or several sets of security parameters are respectively requested and transmitted via the interface, and the subscriber authentification and/or encryption is carried out.
The mobile radiotelephone network is a cellular mobile radiotelephone network according to the GSM standard, which network provides GSM security parameters for the subscribers of the other network.
Given the use of a radiotelephone subscriber station for the subscribers of the other network, the security algorithms contain measures for the encryption of the items of information to be sent via air between the radiotelephone subscriber station and a base station.
The present invention is also a system for subscriber authentification and/or for encryption of items of information, in which mobile subscribers identify themselves to a mobile radiotelephone network with a subscriber identity module contained in a subscriber station. They are installed in at least one subscriber database of the mobile radiotelephone network and are registered in an authentification center, from which security parameters and security algorithms for the mobile subscribers can respectively be provided for the protection of the subscriber data. The mobile radiotelephone network is connected via an interface with another network whose subscribers identify themselves with the subscriber identity module of their subscriber stations and are installed at least in a subscriber database of the other network. Means are provided in the other network that request security parameters for the installed subscriber of the other network via the interface; means are provided in the respective authentification center of the mobile radiotelephone network that provide the security parameters; means are provided in the mobile radiotelephone network that transmit the security parameters via the interface to the other network, without a subscriber entry in the subscriber database of the mobile radiotelephone network thereby being carried out. Means are provided in the other network that carry out the subscriber authentification for the subscribers of the other network and/or the encryption of the items of information on the basis of the security parameters received by the mobile radiotelephone network.
The security parameters are provided by the mobile radiotelephone network for subscribers of a different network via an interface connecting both networks, without carrying out subscriber entries for these subscribers in the mobile radiotelephone network in at least one subscriber database of the mobile radiotelephone network. The subscribers of the other network thereby identify themselves respectively with the subscriber identity module, and are installed at least in a subscriber database of the other network. The security parameters for the subscribers installed in the other network are requested via the interface, are provided by an authentification center of the mobile radiotelephone network and are transmitted to the other network via the interface. An entering of the subscriber in the subscriber database of the mobile radiotelephone network is omitted, which also, in particular, has the advantage that no mobile subscriber call number need be assigned in the mobile radiotelephone network, and thus no management of the subscribers of the other network need be carried out. On the basis of the security parameters supplied by the mobile radiotelephone network and received in the other network, the subscriber authentification for the subscribers registered in the other network and/or the encryption of the items of information is carried out. In this way, the other network, which for example represents a private network with private branch exchanges, can independently handle the security measures for protection against unauthorized access to subscriber data, and against misuse of individual subscriber data and/or for the encryption of the items of information, without this affecting the mobile radiotelephone network (with the exception of the transmission of the security parameters), and without the other network""s having to implement the highly secret security algorithms for determining the security parameters in the other network.
It is thereby advantageous if at first at least one set of security parameters is requested via the interface and is transmitted, and the subscriber authentification or, respectively, encryption is carried out before a new request is initiated to the mobile radiotelephone network for the provision of additional sets of security parameters from the other network. The security parameters and security algorithms for subscriber authentification, and preferably also for encrypting items of information sent via air between a base station and a radiotelephone subscriber station, are both in case of communication of the subscriber via the other network (e.g., the private network supporting the DECT radiotelephone standard) and in the case of subscriber communication in which the subscriber changes his location from a region of the other network into the service area of the mobile radiotelephone network.